php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #73655 Spoofchecker::isSuspicious behavior change due to upstream changes
Submitted: 2016-12-05 15:31 UTC Modified: 2017-10-24 05:12 UTC
From: sjon at hortensius dot net Assigned:
Status: Open Package: intl (PECL)
PHP Version: 7.1.0 OS:
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2016-12-05 15:31 UTC] sjon at hortensius dot net
Description:
------------
It seems Spoofchecker::isSuspicious is broken; testing an example from the manual all PHP versions work fine; except 7.1.0.

This seems related to an update which was done to the localization which was not present in any of the RCs (insert rant about RCs being real RCs here)

Test script:
---------------
See https://3v4l.org/5HWQT, script was copied from http://php.net/manual/en/spoofchecker.issuspicious.php

<?php
$checker = new Spoofchecker();

var_dump($checker->isSuspicious('google.com'));
var_dump($checker->isSuspicious('Рaypal.com'));

Expected result:
----------------
bool(false)
bool(true)

Actual result:
--------------
bool(false)
bool(false)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-12-05 15:51 UTC] sjon at hortensius dot net
This might also be related to the recently released ICU-58 (http://site.icu-project.org/download/58) with which 7.1 was compiled. I'm sure distros will compile with the same ICU but this might be the reason I didn't find a suspicious commit in php-src itself
 [2016-12-05 16:22 UTC] sjon at hortensius dot net
I have confirmed php-7.1.0 compiled with ICU 55 works fine. Compiled with ICU 57 also works. Can anyone confirm if this is a bug with ICU itself; or with PHP's usage of ICU?

This is still a problem as distros such as ArchLinux will soon release with ICU-58 and experience this issue
 [2016-12-05 16:22 UTC] me at kelunik dot com
Works for me with ICU 55, so it seems to be an ICU problem.

$ php -v
PHP 7.1.0 (cli) (built: Dec  5 2016 17:15:16) ( NTS DEBUG )
Copyright (c) 1997-2016 The PHP Group
Zend Engine v3.1.0-dev, Copyright (c) 1998-2016 Zend Technologies

$ cat bug73655.php 
<?php

$checker = new Spoofchecker();

var_dump($checker->isSuspicious('google.com'));
var_dump($checker->isSuspicious('Рaypal.com'));

$ php bug73655.php 
bool(false)
bool(true)

$ apt-show-versions libicu-dev 
libicu-dev:amd64/xenial 55.1-7 uptodate
libicu-dev:i386 not installed
 [2016-12-05 16:34 UTC] requinix@php.net
-Summary: Spoofchecker::isSuspicious broken +Summary: Spoofchecker::isSuspicious behavior change to due upstream changes -Status: Open +Status: Verified -Package: I18N and L10N related +Package: intl
 [2016-12-05 16:34 UTC] requinix@php.net
I don't understand the terminology but it seems this was an intentional change (or at least accepted side effect) with ICU 85.
http://bugs.icu-project.org/trac/ticket/12549

So this is tentatively NAB and in need of documentation changes, but for all I know there may be a way to preserve the old behavior, possibly involving toggle assorted spoofchecking options if the uspoof C API has that.
 [2016-12-05 16:35 UTC] requinix@php.net
-Summary: Spoofchecker::isSuspicious behavior change to due upstream changes +Summary: Spoofchecker::isSuspicious behavior change due to upstream changes
 [2016-12-05 17:33 UTC] cmb@php.net
-Assigned To: +Assigned To: stas
 [2016-12-05 17:33 UTC] cmb@php.net
One can get around the removal of WSC and MSC by setting the list of allowed locales manually, see <https://3v4l.org/33qXs>, for instance. So this might be solely a documentation issue.

Stas, as you're listed as ext/intl maintainer, what do you think?
 [2017-10-20 18:16 UTC] ab@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f95063647ccebfde5e8e39bc3349e63f19662395
Log: Fixed bug #73655 Spoofchecker::isSuspicious behavior change due to upstream changes
 [2017-10-20 18:16 UTC] ab@php.net
-Status: Verified +Status: Closed
 [2017-10-20 18:32 UTC] ab@php.net
-Status: Closed +Status: Re-Opened -Type: Bug +Type: Documentation Problem
 [2017-10-20 18:32 UTC] ab@php.net
The behavior change should be fixed here http://git.php.net/?p=php-src.git;a=commitdiff;h=f95063647ccebfde5e8e39bc3349e63f19662395 

ICU > 58 undergone significant BC breaches, more fixes might be necessary. In general, the fact a locale were needed to have right suspicious checks was not new. Now, with the removal of the MSC and WSC, as well as single script and lower case data removals, it becomes unavoidable. I thought about enforcing the empty allowed locales check, but it seems a bit too much ATM. Still, this issue is worth documenting, as there are no good ways to bring ICU to the old behavior. Neither it would make much sense regarding the latest UNICODE security specs. Turning this into a doc issue now, further tests on the subject are appreciated to catch possible misbehaviors with modern ICU.

Thanks.
 [2017-10-24 05:11 UTC] kalle@php.net
-Status: Re-Opened +Status: Assigned
 [2017-10-24 05:12 UTC] kalle@php.net
-Status: Assigned +Status: Open -Assigned To: stas +Assigned To:
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC